wireless security – Overview – Original 802.11

View Github Repository Open presentation in a new window

graingert

See all presentation from graingert

wireless security – Overview – Original 802.11

0 0

wireless

On Github graingert / wireless

wireless security

Thomas Grainger

Overview

  • Original 802.11 specification
    • Open System vs Shared Key Authentication
    • MAC, SSID filtering
    • WEP
      • Operation
      • Flaws
      • Fixes
  • 802.11i (WPA and WPA2)
    • TKIP
    • AES

Original 802.11

  • Two methods of authentication
    • "Open System Authentication"
    • "Shared Key Authentication"
  • One Method of Encryption
    • "Wired Equivalence Privacy", WEP

Open System Authentication

  • Null authentication
  • Can be used with WEP encryption providing implicit authentication
  • Clients requests to join, either "Successful" or otherwise

Shared Key Authentication

  • Uses shared key to authenticate clients with a four way handshake
  • Doesn't require encryption
  • Shared Key Authentication + Encryption is less secure than Open System Authentication + Encryption

Authentication

  • Focusing on Open System Authentication
  • Some basic systems build on top to provide authentication without keys:
    • MAC Filtering
    • SSID Hiding

MAC Filtering

  • Make a list of MAC addresses that are authorized to connect
  • If a client is not on that list, issue "Unspecified Failure" rather than  "Success"

MAC Filtering

MAC Filtering

  • Widely available
  • Client doesn't have to support anything extra

  • Administration overhead to maintain list
  • Simple to circumvent!

SSID Hiding

  • Simply avoid advertising the SSID of the network in beacon frames
  • Prevents the network showing up in network scanners
  • But...

SSID Hiding

  • The SSID can be easily discovered
  • Open up Wireshark and look for:
    • PROBE requests
    • PROBE responses
    • ASSOCIATION requests
    • REASSOCIATION requests

SSID HidinG

SSID Hiding

Not only ineffective security:
  • Can interfere with roaming, because clients use beacons from APs to switch when a stronger signal is available
  • Creates network congestion when clients probe for APs

Wired Equivalent Privacy (WEP)

  • Released with the original 802.11 standard in 1999
  • Responsible for both authentication and encryption
  • Name comes from the "idea" that it would provide the same security as a wired connection

(WEP) Broken By Design

  • Uses a 40-bit shared key
  • Only 40-bits to comply with US restrictions on exporting cryptography technology
  • Brute-force was already practical when the protocol was designed
  • Protocol extended by many manufacturers using a 104-bit key (also called 128-bit)
  • The 104-bit keys operate in exactly the same way as 40-bit keys

(WEP) Encryption Algorithm

  • Uses RC4 encryption algorithm from RSA Data Security
  • Stream cipher
  • Simulates a one-time-pad using a pseudo random number generator (PRNG) seeded from a key
  • Each bit of the plain-text is XORed with a bit of the key-stream

(WEP) Operation

  • Because RC4 is a stream cipher a missing bit would cause a misalignment with the key-stream
  • Frames are expected to be lost so process is restarted each frame
  • However...

WEP (Operation)

  • If you restart the process each time you get the same key-stream each time
  • C1⊕C2=P1⊕P2
  • ⊕=⊕=
  • To prevent key-stream reuse, a random 24-bit Initialization Vector (IV) is appended to the shared key

(WEP) Operation

  • Every frame includes an Integrity Check Value (ICV)
  • CRC-32 hash of the plain-text is appended to the plain-text
  • The receiver re-computes the CRC-32 hash of the message and if it does not match the frame is dropped

WEP (DIAGRAM)

(WEP) FLAWS

  • ICV
  • Key-stream discovery
  • Frame Injection
  • Tews, Weinmann, and Psyhkin Shared Key Recovery
  • The Caffe Latte Attack

(WEP) ICV FLAW

  • WEP uses CRC-32 hash for Integrity Check Value (ICV)
  • CRC is a poor cryptographic hash because it is a linear function of the message
  • Check-sum algorithms are "unsuitable as cryptographic hash functions"
  • C'=C⊕(Δ,c(Δ))
  • C: original, C': modified, Δ: changes, c(Δ): CRC-32 of Δ
  • An attacker can flip any bit in thecipher-text and correctly adjust the encrypted hash to avoid detection

(WEP) Key Stream Discovery

  • RC4 becomes vulnerable if two messages are encrypted using the same key-stream
  • To protect against this, each frame has a random 24-bit Initialization Vector (IV)
  • The probability of an IV being repeated after 4,096 messages becomes likely due to the "birthday paradox"
  • Can then determine plain text and key-stream

WEP (Frame Injection)

  • WEP has no anti-replay protection
  • Can re-use known IV and key-stream (gained from previous attacks) to generate unlimited valid frames
  • An attacker can capture frames and resend them
  • Denial of Service or send malicious traffic

(WEP) Shared Key Recovery

  • Possible to recover 104-bit shared key in less than a minute
  • Uses the predictability of the ARP protocol: first 16 bytes known
  • XOR known bytes with the cypher text bytes
  • gets the first 128 bits of key-stream and IV
  • with enough packets, shared key can be determined statistically
  •  Because no replay prevention, broadcast ARP requests to get more ARP responses

(WEP) Caffe Latte Attack

  • Listen to a PROBE for an access point (AP)
  • Create fake SSID for the AP
  • Repeatedly challenge, and de-authenticate target client to force it to generate DHCP and ARP requests
  • Don't need to be near the original SSID
  • Just some client that has been configured to automatically connect to a WEP network
  • Sit in a coffee shop and listen to clients

(WEP) Fixes

  • WEP2
  • WEPplus
  • Dynamic WEP

WEP2

  • Extends shared key and IV to 128 bits
  • Still allows IV re-use
  • Still uses CRC-32 for ICV

WEPPlus

  • Proprietary enhancement to WEP by Agere Systems
  • Avoid "Weak IVs" in WEP
  • Only effective when used at "both ends"
  • Doesn't prevent replay attacks
  • Interestingly Linux Kernel > 2.6.20 includes protection against weak IVs

Dynamic WEP

  • Give each user a dynamically generated key
  • Never standardized
  • Idea carried over into 802.11i

None of the "Fixes" are any good

Ultimately none of the WEP fixes were ever seriously used or effective

The only way to fix WEP implementations is to replace them

802.11i

  • Draft published in 2003 (2 years after WEP first cracked!)
  • Ratified on 24th June 2004 as 802.11i
  • On March 8th 802.11i and 802.11(a,b,d,e,g...j) combined into "IEEE 802.11-2007"
  • Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2)

WPA

  • Just the minimum support required to buy time to develop WPA2
  • Can only use Temporal Key Integrity Protocol (TKIP)
  • TKIP still uses RC4, but with a better implementation:
    • Uses key mixing for shared key and IV
    • Prevents using the same encryption key twice
    • Uses a sequence counter to prevent replay attacks
  • Insecure anyway

WPA2

  • WPA2 allows the use of the Advanced Encryption Standard (AES) encryption as well as TKIP
  • AES is a block cipher, so none of the repeated key attacks apply
  • When used with AES, WPA2 might actually be secure

WPA(2) FLAWS

  • Still allows the use of TKIP
  • Encryption key is based on the pre-shared key and the SSID of the network
  • All of of the top million passwords, with each of the top thousand SSIDs in rainbow table
  • Group Key system is insecure

Questions?

References

http://www.cryptosmith.com/archives/70 http://itffroc.org/pubs/benton_wireless.pdf http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf http://www.ranum.com/security/computer_security/papers/otp-faq/ http://pdos.csail.mit.edu/decouto/papers/802.11.pdf http://www.edshare.soton.ac.uk/9916/